Select Page

Agreed Upon Procedures


The AUP is customizable to an individual organization’s needs and defines 17 critical risk control areas, procedures and an onsite assessment reporting template.

  • AUP

    The Shared Assessments Agreed Upon Procedures (AUP) is a holistic tool for performing standardized verified or onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security and business resiliency controls. Use of this tool validates SIG responses. The content aligns to the Standardized Information Gathering (SIG) questionnaire.

AUP Bundle

AUP Bundle

The AUP is a holistic tool for onside assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.

Add to cart



The Complete Bundle includes the SIG and AUP bundles, as well as the VRMMM.

Add to cart

Assessment Firms

Become an Assessment Firm Member

Assessment Firms work with the Shared Assessments onsite assessment tool, the Agreed Upon Procedures (AUP) for organizations that need validation of their vendor risk controls.

Learn More 

  • The AUP evaluates controls in the following risk domains:

  • Risk assessment and treatment
  • Security policy
  • Organization security
  • Asset and information management
  • Human resources security
  • Physical and environmental security
  • Operations management
  • Access control
  • Application security
  • Incident event and communications management
  • Business resiliency
  • Compliance
  • Network security
  • Privacy
  • Treatment management
  • 2017 AUP Bundle Enhancements:

    • Allows for execution of a Collaborative Onsite Assessment (COA), a unique and pilot-tested capability, with benefits that include consistency, rigor and efficiency.

    • All sections o the AUP have been amended with language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.

    • Industry updates, including: HIPAA final ruling modifications and PCI DSS version 3.2 updates.

  • 2017 AUP Bundle Enhancements:

    The companion document to the AUP, the AUP Report Template, provides a standardized approach to collecting and reporting onsite assessment results. The template is a mechanism to track “compensating items” and can be used by organizations that do not have a proprietary enterprise risk platform in place to manage onsite assessments results and reporting. Alongside testing for the specific controls identified in the AUP, the AUP Report Template allows an assessor to include any additional mitigating controls (and accompanying documentation) believed to be relevant to providing a sound control environment.

  • The 2017 AUP Bundle includes the 2017 AUP, 2017 AUP Report Template and AUP Overview



    Want access to all the Shared Assessment Program tools, thought leadership and a network of members?

    Find out about Membership or contact us.

    Membership Info